Cybersecurity Ventures expects cybercrime costs to grow about 15% globally between 2021 and 2025. At this rate, the company estimates that by the end of this time period, these costs will reach as much as $10.5 trillion.

So as you can see, when it comes to running a business, protection against cybercrime is essential. Investing in a cybersecurity incident response plan will help you better organize your information technology (IT) programs and save you revenue in the long term. As the cliche saying goes, “Prevention is the best medicine.” As it turns out, a robust cybersecurity incident response plan might be the best “medicine” for breach prevention that an organization can have.

Taking into account the results of a risk assessment will help you learn how to prevent security breaches. And even if you cannot prevent all mishaps, utilizing your incident response plan can help you quickly detect issues, help to minimize any losses, reduce remaining vulnerabilities, and restore your IT services.

Implementing cybersecurity incident response plans and making sure to continually monitor for attacks are both key for defending your sensitive data… and it’s no secret that your confidential information has great value among hackers. Names, credit card numbers, social security numbers, and more (if left undefended) can result in identity theft or fraud.

Take for example Marriott Hotels. A breach of their Starwood guest reservation database resulted in the exposure of up to 500 million people in 2018. Although discovered in 2018, Marriott says the breach actually began in 2014. You don’t want to be that company that has to make up for years of stolen data.

So, what exactly is a cybersecurity incident response plan? I don’t want to spoil that quite yet. But, in this blog, I’ll define what an incident response plan is and provide you with 66 interview questions for your incident response.

• What is an Incident Response Plan?

• Incident Response Plan Questions

  • Step 1: Preparation

  • Step 2: Identification

  • Step 3: Contamination

  • Step 4: Eradication

  • Step 5: Recovery

  • Step 6: Lessons Learned

• Conclusion

A cyber incident response plan is a document that helps companies understand what they should do if a security incident occurs. If you’re an organization that has cyber-related assets, you should be paying attention. As I alluded to earlier, having a well-written incident response plan can save you from huge losses!

Your incident response plan should cover these overarching procedures…

• Protect

• Monitor

• Analyze

• Detect & Respond

After a detected breach occurs, the focus of your team should be on response and recovery. This step includes preventing further damage, restoring infrastructure integrity, reclaiming assets, and reevaluating the effectiveness of your incident response plan. Asking the appropriate questions after a security breach can help you get to the root of any vulnerabilities in your system and/or policies that need updating.

No two incident response plans are going to be the same, but the basic goal is simple: fast detection and an even faster response. Questions following a security incident may vary across companies due to different elements such as network configurations, precedence, and processes. 

NIST’s Computer Security Incident Handling Guide offers companies a solid foundation to build their individualized incident response plan.

The guide contains six phases, let’s take a look:

1. Preparation

2. Identification

3. Containment

4. Eradication

5. Recovery 

6. Lessons Learned

Let’s take a deeper dive into some must-have incident response questions to ask during the post-incident analysis, categorized under each of these phases.

Starting off with a trick question: What are the questions one should ask that have to do with the Preparation phase of the incident report? There really aren’t any. At least, nothing that isn’t better suited to ask under the other phases. 

The Preparation phase is mainly good for ensuring that systems, networks, and applications are secure on a day-to-day basis. This part of the program is better thought of as how to prepare to handle incidents/ prevent incidents before they happen.

The rest of the phases are more suited to when an incident actually happens. 

But, don’t worry. This section isn’t only about me being facetious.

Here are a few interview questions you could ask yourself and your incident response team during the preparation stage:

1. How do we prioritize the protection of assets in case of a security incident?

2. What steps do we take to ensure that we train all of our employees on incident response protocols?

3. How do you establish communication channels with external entities before an incident occurs?

• External entities include law enforcement, incident response teams, and other stakeholders.

4. What tools do you use for ongoing monitoring of your systems for potential security incidents?

5. How often do you update your incident response plan to ensure it remains current and effective?

6. How do you test your incident response plan to ensure its effectiveness?

7. What is your approach to managing and maintaining incident response documentation and records?

8. What is your policy for managing incident response-related information, such as sensitive data or evidence?

9. How do you ensure that your incident response team is available and prepared to respond to a security incident at any time?

10. How do you handle incidents that cross geographical boundaries, such as incidents affecting remote workers or subsidiaries?

As you can likely tell from the questions posed, the preparation phase is ongoing. That statement isn’t a new, groundbreaking discovery. You likely already know that achieving a workplace that’s 100% “secure” isn’t attainable. It’s about constant improvement.

The point I’m trying to make is that NIST’s Computer Security Incident Handling Guide is less of a step-by-step process and more of a cycle. Also, the preparation stage exists within each of the next steps. I alluded to that earlier in this section, but from now on you’ll see a section with interview questions labeled “Preparation” and “Post Incident”.

Identification means that the incident team is now analyzing and validating the severity of an incident reported. Once verified that there is a security breach of some kind, the team must conduct an initial analysis to determine the incident’s scope. 

This scope includes involved networks, systems, or applications. As well as who or what’s responsible for the incident and how it’s occurring. During this phase of your response plan, your security team needs to investigate all details related to the incident. Here are some questions to include in your identification response checklist:

Identification - Preparation

1. What are some indicators of a potential security incident, and how do we identify them?

2. How do we assess the severity and scope of a security incident once it’s identified?

3. How do we ensure to report all incidents to the appropriate authorities and what steps do we take during that reporting process?

4. How do we determine what caused a security incident once it’s identified?

5. How do we ensure that we’ve identified all affected systems, applications, and data?

6. How do we identify who’s responsible for a security incident?

7. How do we communicate the details of a security incident to stakeholders?

8. Do we use any tools that help us identify security incidents?

9. How do we determine whether an incident is a false positive or an actual security threat?

10. What are some common mistakes that other organizations made during the identification phase?

Identification - Post Incident

1. Who reported/discovered the security incident?

2. When was the security incident discovered/reported?

3. Where was the security incident located/discovered?

4. How does this incident impact our business operations?

5. In regards to our network and applications, what is the full extent of this incident?

Contamination planning is essential to control an infection’s spread. For example, you want to isolate affected systems before having malware spread to crucial systems or databases.

The Contamination phase often comes down to making important decisions quickly such as shutting down a system, disconnecting from a network, etc.

Of course, these difficult decisions are easier with predetermined strategies and procedures in place.

Here are some questions to assist in stopping any threat(s) from creating additional damage:

Contamination - Preparation

1. How do we isolate and contain a security incident?

2. How do we prioritize the containment of affected systems and applications during an incident?

3. How do we ensure that what we contain doesn’t interfere with the collection of evidence?

4. How do we ensure that we’ve successfully contained the incident before moving on to the eradication phase?

5. How do we determine the extent of the damage caused once we’ve contained a security incident?

6. How do we ensure that the containment measures we implement don’t negatively impact our operations?

7. How do we document the steps taken during the containment phase for future reference and analysis?

Contamination - Post Incident

1. Is it possible to isolate the incident?

1. If we can isolate it, what steps will you take to do so?

2. If we cannot, document why and continue to work with the owner(s) to resolve the issue.

2. Are non-affected systems isolated from affected systems?

3. Did you create backups to protect crucial data?

4. Are there copies of the infected machines made for forensic analysis?

5. Have we removed malware (along with other threats) from the infected system?

Once you contain the incident, you may need to eliminate remaining components such as malware, or even identify and mitigate any vulnerabilities used. During the Eradication phase, you should identify all affected hosts in the organization. This way, you can remediate them.

Check out the following questions that can help you apply more permanent fixes to your infected system:

Eradication - Preparation

1. How do we remove the source of a security incident?

2. What steps do we take to thoroughly cleanse and restore affected systems before putting them back online?

3. How do we ensure that there aren’t any backdoors or other methods of re-entry?

4. How do you ensure that the eradication measures we implement don’t interfere with the collection of evidence?

5. What are the verification steps we have in place that ensure that the threat has been fully eliminated?

6. Do we use any tools to help us eradicate security incidents?

7. How do we ensure that the eradication measures we implement don’t negatively impact our operations?

8. How do we document the steps taken during the eradication phase for future reference and analysis?

Eradication - Post Incident

1. Have we applied new patches to infected systems?

2. Do we need to reconfigure any systems or applications?

3. Have we reviewed all possible entry points/closed them up?

4. Do we need any additional defenses to eradicate the threat(s)?

5. Have we eradicated all malicious activity from the affected systems?

The Recovery phase is all about restoring your systems to normal operation. You also should confirm these systems are functioning properly and remediate any vulnerabilities to prevent future incidents. This phase may look like restoring systems from backups, rebuilding systems, changing passwords, and more.

Make sure to also review your inventory list as the status and location of items can change.

Here are some baseline questions to incorporate during the Recovery phase:

Recovery - Preparation

1. How do we prioritize the systems and applications that need recovery?

2. How do we test restored systems and applications to ensure that they’re functioning properly again?

3. How do we ensure that the recovery measures we implement don’t introduce new vulnerabilities or risks?

4. How do we handle requests for access to recovered systems and data, such as from employees or customers?

5. How do we document the steps taken during the recovery phase for future reference and analysis?

Recovery - Post Incident

1. Where will recovery and backups pull from?

2. How will we deploy the affected systems back into production?

3. When will we deploy the affected systems back into production?

4. What testing/verifications do we need to do on the infected systems?

5. Is there documentation on the recovery completion steps/inventory check?

The Lessons Learned phase helps your team to evolve in how they handle pending security threats. A Lessons Learned meeting is essential to reflect on not only the incident at large but also possible new threats, improved technology, how well the current intervention worked, and how to improve response time.

A report should cover all phases of your incident report process, remediated threats, as well as what needs to take place in the future to prevent similar infections. Consider these questions at your next Lessons Learned meeting to better tackle your post-incident analysis:

1. Have we recorded the necessary documentation throughout each incident report phase? 

2. Did the response team receive clear authority to segment affected parts of the network to prevent the spread of malware? 

3. Were critical systems and restricted data well-insulated from the attack?

4. Did the organization fully or partially recover lost items? If the answer is ‘partially recovered’, was it due to untested and/or corrupted backups?

5. What are some areas of improvement in the incident response process?

In order to efficiently respond to a security threat, make sure to use the most effective resources throughout the incident response cycle. Especially when it comes to the Lessons Learned phase, so you can better prepare for/protect against future attacks. Working with proactive controls will help your team develop better incident response planning, testing, and training.

 But if you are aware of your obligations in making a data breach notification you can mitigate this stress and hopefully avoid the heavy fines that come with non-compliance.